How Spamhaus addresses DNS abuse

In this latest segment of the iQ video blog series, I conducted a wide ranging discussion with Carel Bitter, the Head of Data at Spamhaus. Carel is is part of the very fabric of The Spamhaus Project, having been with the organization for over a decade.

Topics include:

  • How is the Spamhaus Domain Block List (DBL) used?
  • How is the list compiled? How do you calculate it?
  • Comments on real data vs. fake data use trends.
  • Comments on measuring the effect of price vs. measuring # of abuse reports in new gTLDs vs. ccTLDs and legacy TLDs.
  • How can a TLD or registrar get off the “bad list”?
  • How can a registry, registrar, or registrant remove a specific name or bulk list of names from the DBL?
  • What about domains in the DBL where no evidence of spam is actually detected?
  • Any systematic way to provide a real time feedback loop on takedowns/serverHolds?
  • Why do some TLD or registrars suddendly appear and then disappear from the bad lists?
  • What about providing evidence? Is it possible to get email headers or other evidence with your reports?
  • What are some new attack vectors you are observing these days? What’s a “phishing rod” threat vs. a “phishing” threat?

I hope you find the inteview helpful to your operation. We all must continue to cooperate and share knowledge in the effort to fight DNS abuse.

Managing Domain Name Abuse

For episode #4 of the iQ video blog series, we took a deeper dive into the world of managing domain name abuse with iQ’s resident expert and czar of managing domain name abuse for a variety of iQ clients, Mr. Steinar Grøtterød, officially Director of Registry Operations & Compliance at iQ.

I had the opportunity to get Steinar’s opinions on such matters as:

  • How can a registry or registrar reduce the amount of duplicative and non-actionable abuse reports?
  • How do you get off a blacklist or bad list?
  • Should there be evidence standards from the reputation/blacklist providers?
  • What’s up with ccTLDs and abuse?
  • Why do European ccTLD operators, registrars, and resellers need to start paying attention to the NIS2 Directive?

A conversation with MrPremium.com

This marked my third interview conducted for the iQ video blog series. For this episode we took the subject matter in a different direction, posting my conversation with a rising businessperson in the domain name industry aftermarket segment, Mr. Mark Ghoriafi, who is the founder of MrPremium.com.

It’s no surprise that buying and selling premium domain names (via EPP or direct) represents a significant revenue opportunity for many registry operators, registrars, resellers, aftermarket sites, auction houses and third party brokers such as MrPremium.com.

Mark shares a few stories about his unusual entry experience into the domain name industry, and how he uses data and other assets to help him sell premium domain names. He also shares tips on which web tools and techniques he finds useful in his day to day outbound sales operation along with thoughts about social audio platforms’ (e.g. Clubhouse) impact on the industry to date.

Cleaning Up The Internet

My interview with Jorij Abraham, director of Scamadviser.com. This video was published along with a blog post over at iQ on March 2, 2021.

Amsterdam, March 2nd, 2021.

iQ Abuse Manager & Scamadviser.com Clean Up the Internet
By allowing Internet Infrastructure providers to act faster, more effectively and efficiently against scams.

Every day more than 15,000 new malicious websites pop-up on the web. They exploit the infrastructure of the Internet, causing $43 billion in damages to consumers, business, and service providers.

To help registrars, registries and hosting companies identify online scams faster IQ Abuse Manager and Scamadviser have joined forces.

Scamadviser.com checks 50,000 new domain names every day to determine the likelihood of being either legit or a possible scam. iQ Abuse Manager has integrated Scamadviser’s data into its abuse feed to make identification of malicious websites, faster, easier and facilitate take down processes more efficiently.

LG Forsberg, CTO of iQ explains why the cooperation with Scamadviser is unique: “Our abuse feed already includes a multitude of sources reporting on many types of malicious behaviour like phishing, malware, botnets and spam. However, the number of scams where consumers and businesses lose money to actors not delivering products or services or in other ways scam consumers of data or money is growing at an exponential rate. Scamadviser’s data is unique in that it can identify these kinds of cybercrime.”

Jorij Abraham, director of Scamadviser elaborates: “We are incredibly happy that iQ has integrated our data into its feed and abuse manager platform, helping more than 150 Internet infrastructure providers to keep the Internet safe. In this way our mission to protect consumers from being scammed is taking the next big step.”.

###

About iQ

iQ is a SaaS, software, and consulting service provider for the domain name industry, working with over 150 different top-level domain names and domain name registrars, bringing them intelligence, automation, and access to expertise and experience. iQ Abuse Manager is a CRM-like abuse management system primarily for top-level domain name registries, registrars, and hosting companies. Every day the service performs more than 60 million scans to combat domain name abuse.  

For questions regarding iQ and iQ Abuse Manager you can contact lg@iq.global

About Scamadviser.com

Scamadviser.com is used by over 2.5 million consumers every month to determine if a website is legitimate or a scam. Scamadviser’s data is also used by law enforcement, brand protection agencies, social media networks and security companies to fight online fraud. Scamadviser is an initiative of the Ecommerce Foundation.

For questions you can contact: jorij.abraham@ecommercefoundation.org, +31 6 52840039.

A conversation with “LG” Forsberg

This first week of February 2021 marks the beginning of a video blog series I’ll be producing for our company, iQ. We plan to feature experts sharing their stories and insight on relevant topics that many of us deal with in our day-to-tasks along with overarching topics facing the domain industry. And maybe we’ll share a refreshing beverage or two while we talk. Who knows where the conversation will go!

This first episode features a 20 minute interview with iQ’s CTO, Mr. “LG” Forsberg. If you’ve ever attended or wanted to attend Nordic Domain Days (LG’s the founder); want to hear what he has to say about challenges in trying to tackle domain name abuse and how iQ decides which abuse feeds/reputation block lists to integrate, then you may want to check out this video.

This is a work in progress so feedback is welcome. We expect to refine and improve it over time!

iQ Domain Analytics Campaign Tracker saves time, headaches and resource costs for registry operators.

Are you using spreadsheets or other dashboard/spreadsheets on steroids services that require a lot of handholding because they are designed by folks that are not in the domain industry?

iQ Analytics is a SaaS Business Intelligence platform used by gTLD and ccTLD Registries. It has the ability to track Registry marketing campaigns and provide actionable insights into the performance of your Registrar campaigns.

Spend 4 minutes and take a look at the iQ Analytics Campaign Tracker and Dashboard. It’s specifically designed for the domain industry, by the domain industry.

iQ Abuse Manager – Not Just for Registries

This is an article originally posted on the iQ blog on September 9, 2020.

Subsequent to our last post announcing RegistryOffice becoming iQ, our new company name and the umbrella for all our products and services, we’d like to inform you that iQ Abuse Manager (formerly RegistryOffice Abuse Monitor) is now used by leading registrars and nearly 150 gTLDs and ccTLDs, and is also available to hosting service providers and brands.

Check out our just released 5 minute introductory video:

iQ Abuse Manageris our abuse management service where we offer access to curated abuse feeds from the world’s leading sources together with an API and management system, which makes handling domain name abuse cases efficient as possible.  We also provide a fully managed service utilising this tool.

The applications for our service are quite broad. For example, If you are a brand owner with a portfolio of domain names, IQ Abuse Manager can alert you if any of those names have been reported in our abuse feeds.  

If you are a registry operator contracted with ICANN, the iQ Abuse Manager will assist you in keeping your namespace clean and in compliance with ICANN Spec 11.3.b. 

If you are a registrar, you can for example, integrate our API with your existing CRM/ticketing system to proactively detect and manage reported abuse cases. With this tool a registrar can work in concert with various parties in reducing abuse levels. 

Whether you are a registry, registrar or hosting service, iQ Abuse Manager will help you improve your abuse workflow, reduce associated costs, mitigate false positives and help to protect your own brand and reputation.  It also helps to build a safer Internet! 

We’re currently offering a free no-obligation trial. Contact us at sales@iq.global to get started.

RegistryOffice becomes iQ

Introducing you to iQ, our new company name and the umbrella for all our products and services! Our ownership, people and services remain the same.

This is an article originally posted on the iQ blog on August 25, 2020.

RegistryOffice and Abuse Monitor are two services that were born out of a need when our company was the operator of the .global top-level domain. 

Both services have since grown substantially, and last year we chose to let .global go in order to focus on our core services instead. Since then, the company name RegistryOffice has served us well, and many in the domain name industry recognise the company name and the people who work with us. 

However, we have reached a point where the name no longer reflects what we do.   Our customers are no longer limited to registries but also include registrars, resellers, backend providers, brand owners, and domain investors to name a few. 

After much internal discussion and customer feedback, we have started the journey towards rebranding RegistryOffice and our services to be a better fit going forward.


We would like to introduce you to iQ, our new company name and the umbrella for all our products and services! While our name is changing, our ownership, people and services remain the same.

Our new iQ brand stands for Intelligence and Quality in everything we do. 

This journey has only just begun, and the new name and website, https://iq.global is just the first step.  

Our services now have updated names and logos. More details about them will appear soon on our new website.  For example:

iQ Domain Analytics (formerly RegistryOffice Business Intelligence) is our Business Intelligence product for top-level domain name registries.

iQ Abuse Manager (formerly RegistryOffice Abuse Monitor) is our abuse management service where we offer access to curated abuse feeds from the world’s leading sources together with an API and management system, which makes handling abuse cases efficient as possible.  We also provide a fully managed service utilising this tool.

iQ Broker is our super premium domain brokerage service. Our experts have trusted global knowledge and direct experience to assist in selling, acquiring and appraising super premium names. Our first listing, amen.com, is currently available for offers. 

iQ Consulting offers our senior staff as consultants to the domain name industry. With over a hundred years of accumulated experience in the domain name business and significant skill in managed abuse, top-level domain name policy making, operations, premium name strategy and system development, we can offer something that not many others can. 

iQ DevOps is where your ideas of a new portal, site, or service can go from vision to completion, developed by us, and operated in the cloud. The service includes access to project managers, visual, system and database designers, full-stack development teams, and high-availability operations experts. 

Again, while our name is changing, our ownership, people and services remain the same. We are committed to providing the best possible experience for our existing customers and look forward to welcoming new customers to iQ. 

If you would like more information about this change or our services, please contact anyone in our team directly, or at hello@iq.global.  Also be sure to follow us on Twitter at https://twitter.com/iqglobalas or LinkedIn at https://www.linkedin.com/company/iqglobal

RegistryOffice adds more COVID-19 scam domain report feeds to Abuse Monitor.

This is an article that I originally posted on our RegistryOffice.blog site on April 1st.

We’ve added more suspected COVID-19 pandemic related domain scam report source feeds and will shortly now include human verified blacklist feeds to production in our Abuse Monitor.  This will help registry operators, registrars and hosters to save resources and effort managing the flood of COVID-19 domain abuse reports.  

We will provide these feeds, as well as our existing reputation feeds, via Abuse Monitor at no charge or obligation for 60 days to any registry operator (gTLD or ccTLD), registrar or hosting providers that desire to access. Included in the service is our tool to manage identified domain abuse cases either through a web interface, or use our API. Contact us to get going.

covid19abuse w registrars example

We initially integrated a list provided by Malware Patrol and have since added CheckPhish.ai and a continuously updated blacklist provided by the COVID-19 Cyber Threat Coalition (@ThreatCoalition) that we have joined and endorsed. This is a remarkable global volunteer coalition of cybersecurity experts publishing data sets with indicators believed to be used by criminals trying to prey on individuals, organizations, businesses and governments using the COVID-19 pandemic. 

The additional feeds, as well as our existing reputation feeds, will help users determine if the multiple feeds that we have curated are reporting suspected abuse for the same domain name. Below is an example screenshot where three different sources are reporting for the same domain name:

covid19mask multi case example

We are working hard on combining all available intelligence and endeavour to compare what is received against vetted whitelists in order to assist in reducing false positives. As development cycles can vary widely among registry operators, registrars and hosters, getting access to this tool now (and at no charge) can assist in mitigating this particular abuse threat and free up internal dev people for other priorities.  

We are using the same abuse monitoring workflow logic that already applies to our tool for monitoring and managing domain abuse as defined by ICANN spec 11.3.b.  Ultimately it is up to the registry operator or registrar to investigate each report of abuse and then manage each case according to their own policies and protocol, or they can be managed by RegistryOffice if using our managed services. 

The ICANN Registry Agreement Spec 11.3B is related to DNS abuse. The COVID-19 feeds are more focused on content on a website.

Some of our COVID-19 feeds identify a domain name as suspicious based on keywords (“corona” “covid19” or other related keywords). This does not necessarily mean that the domain is being used for nefarious purposes. Some new registrations may be legitimate or point to parking pages. However, our testing has found that many are being used for malicious purposes such as leading to malware and phishing activity, which by our interpretation constitutes domain name abuse as defined by spec 11.3.b.   

We will shortly now include vetted COVID-19 feeds. A vetted feed is investigated by humans, hence should be more accurate and with lower false positives.

Compared with “legacy” Reputation Block Lists  (Spamhaus, SURBL etc), we ask you to understand that the COVID-19 feeds are developed rapidly and in a more “ad-hoc” design. Our objective to add the COVID-19 feeds is to take part in the fight against false information, scams and phishing. We cannot let the pandemic be a playground for the bad guys.

We believe our subscribers will benefit from having this information and determine how best to act to protect their interests, and ultimately the public.  We invite any registry operator (gTLD or ccTLD), registrar or hosting provider that has not yet subscribed to our domain Abuse Monitor to leverage our tools and the COVID-19 scam intelligence at no charge and no obligation for 60 days. Contact us to get going

Updated 2 April 2020 by Pinky Brand
Posted 1 April 2020 by Pinky Brand